LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for June 20, 2013

Pencil, Pencil, and Pencil

Dividing the Linux desktop

LWN.net Weekly Edition for June 13, 2013

A report from pgCon 2013

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Exploring options for the openSUSE security policy

Exploring options for the openSUSE security policy

Posted May 24, 2012 16:28 UTC (Thu) by ortalo (subscriber, #4654)
Parent article: Exploring options for the openSUSE security policy

These difficulties were certainly predictable. Something pretty annoying for anyone working in security (yours included btw) is the fact that, ideally, security mechanisms should be *extremely* adaptable both to users needs and to the computer environment.
Such an high need of adaptability never stopped to strike me for more than a decadeof work in the field; and now makes me more and more wonder if it would not be wiser to design an adaptable system from the beginning than to try to define a complete security policy. (Note that I have also evolved with time from desiring strong and robust security properties to hoping for acceptable minimisation of risk at the right place and intrusion tolerance in salvageable areas.)
However, this viewpoint evolution is only apparently negative as it also involved a lot of fruitful listening to real end users of "secure" systems.

As a practical example, Linus apparently does not want to enter a password every time to install a printer. But maybe he would *like* to enter a password once in order to deactivate printer install protection.

Defining the "right"(tm) security policy not only involves a lot of technical or organizational know-how, but it also implies that there exist a very powerful authority somewhere that can legitimately impose fixed rules on an entire computer system for its whole lifetime.
Maybe such an authority simply does not exist for general common issues [1].
So, why not try instead to rely on the available authorities at the time of the decision? At install time, ask the right question for defaults. Take the opportunity of a (by default)-priviledged operation to obtain more information about the security rules the user wants in the system on this kind of action. And then, record in detail and reliably these *decisions* in order to explain them very precisely later [2]. The involved users will be accountable, not the security policy designer (which will always be culprit by default).

Well maybe I should put more work on a real design and try to write a specification in order to check (at least for myself) if it's realistic. But I hope you get the idea, and thanks for reading up to here. :-)

Rodolphe

[1] Such an authority may exist, but in civilian systems maybe only at the core of something like a (criminal) judicial system. Amusing, but not something common. ("Computer, this is policed, I have a warrant; decipher all your disk. You are allowed to start lawyerd concurrently.")

[2] "I accept p2pd connections because X explicitly told me to do it like this on 2012-01-13 11:13 and entered the admin password 3 times to force me to do it. That admin password had been selected at install time 2 years ago and only used 1 time since then, so it thought it would be enough as a proof that it was the legitimate owner."

(Log in to post comments)

Exploring options for the openSUSE security policy

Posted May 24, 2012 20:56 UTC (Thu) by ras (subscriber, #33059) [Link]

You are making the situation far more complex than it needs to be. The issue is not whether the user should need the root password to make a system wide change. The answer to that is probably "yes".

The real issue is a user changing their time zone should require a system wide change. It only effects them. There are no security implications. Ergo no root password should be required. Ditto for adding a printer for the users exclusive use. Ditto for adding packages only visible to them.

The fact that these operations and others are currently implemented by making system wide changes (and thus require a root password) is the bug, not demanding the password.

Exploring options for the openSUSE security policy

Posted May 25, 2012 7:47 UTC (Fri) by aj (subscriber, #39001) [Link]

Changing the timezone happens right now via changing /etc/localtime - and thus is a global option.

For a user changing his own timezone would mean changing the TZ environment variable and restarting programs...

Exploring options for the openSUSE security policy

Posted May 25, 2012 7:48 UTC (Fri) by aj (subscriber, #39001) [Link]

I reread your comment - yes, a clever way to make a timezone change that only affects a single user would be nice. It's indeed just not there.

Exploring options for the openSUSE security policy

Posted May 25, 2012 9:42 UTC (Fri) by dgm (subscriber, #49227) [Link]

http://www.cyberciti.biz/faq/howto-linux-set-time-zone-pe...

Exploring options for the openSUSE security policy

Posted May 25, 2012 20:24 UTC (Fri) by ortalo (subscriber, #4654) [Link]

Thanks for solving the timezone issue (imho).
Whatabout the wider issues then?

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds